Surveillance and security: securing whom? And at what cost?
It is common knowledge that surveillance technologies keep us safe. These technologies can uncover where a would-be bomber has fled or reveal that a suspect is planning an attack on the New York City subways. Such successes, and the belief - and business - in them has fueled a vast expansion of CCTV, wiretapping and data mining since 9/11, the Madrid bombings in 2004 and the attacks on London's public transport system in 2005. But this common knowledge is based, at best, on shaky evidence. In the face of dangerous situations, emotions tend to trump logical decision making; reasoning goes that if even a single attack is prevented, the technology is worth having. Such reasoning is quite ill founded. Not only does surveillance technology not necessarily keep us safe, in many instances, surveillance technologies decrease our security.
You read that correctly. The same technologies that enable the police or national-security agencies to track and discover can be used against society; the News of the World scandal has provided plenty of examples of exactly that. By accessing insecurely protected voice mail messages and using corrupt police officers to relay pinging requests, rogue reporters tracked and spied upon princes, politicians, celebrities and ordinary people in the midst of crises. That the reporters were able to do so was a result not only of corruption of the press and police, but also of surveillance capabilities, some of which were built into the technologies.
The technologies revealed today by Privacy International - the hacking tools that allow an investigator to download spyware onto a target's computer, the interception tools that allow instant automatic search for "communications of interest" the data mining tools that allow profiling of a user - build a picture of a surveillance industry gone wild - an industry that seeks to provide tools without understanding the huge potential for harm.
In the last two decades, the world has been transformed into a globalized economy heavily reliant on instant electronic communication. These communication technologies have enabled outsourcing and growth of new markets. But these same technologies also make it much simpler to conduct espionage. When data was held within a single building, discovering secrets, whether government or industrial, was extremely difficult. It took decades to develop a Kim Philby. Cyberexploitation, intelligence-gathering used for government and industrial espionage, allows such spying to be accomplished cheaply, quickly and remotely. Much can be done using the tools exhibited at ISS World and similar trade fairs.
The risk is not theoretical. The websites of Dow Chemical, Intel, Morgan Stanley, Northrup Grumman, Oak Ridge National Laboratory, the British Parliament and thousands of others have all been targeted in this way. Such cyberespionage started with government sites, but has spread to industrial ones.
Risks also come from inside. Building surveillance tools into communications networks enables simpler forms of "insider" attack. In Italy, 6,000 judges, politicians and celebrities were illegally wiretapped between 1996 and 2006. During this period, one in every 10,00 Italians was wiretapped; no major political or business deal was ever private. For ten months in 2004-2005, 100 senior members of the Greek government, including the Prime Minister, were spied upon when the wiretapping capabilities of a Greek Vodafone switch were turned on by unknown parties.
The US government now views industrial espionage as a major national-security risk (all industrialized nations are similarly at risk). Therefore, even though it makes its own law-enforcement and national-security investigations more difficult, US government policy is to encourage communications security - and not just domestically. More recently, the American government has supported the development of tools to enable secure communications by journalists, bloggers and human-rights workers around the world.
The hacking, intercept and data mining tools presented on these pages are marketed in the name of security. But who is buying these tools, and how are they being used? By enabling hacking into user systems (Vupen Security), building network surveillance tools (Packet Forensics) and tracking mechanisms, the surveillance industry may well be making all of us far less secure.
Susan Landau is a Visiting Scholar in the Computer Science Department at Harvard University.